IETF Logo Mail Archive

Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)

Tom Herbert <tom@herbertland.com> Mon, 22 May 2023 23:04 UTC

Return-Path: <tom@herbertland.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B8BC14F721 for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 16:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=herbertland.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DT51eKJhJlng for <ipv6@ietfa.amsl.com>; Mon, 22 May 2023 16:04:02 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92392C14CEFC for <ipv6@ietf.org>; Mon, 22 May 2023 16:04:02 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1ae4baa77b2so47979815ad.2 for <ipv6@ietf.org>; Mon, 22 May 2023 16:04:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1684796641; x=1687388641; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=aqDrP/Ku2G0NFY8nP7WOcpgerakKSVSHtVCghRaxzY8=; b=Yu7n5lXttvzhPWYtCyF8pu243GekS4JNOcbbJmu9D0RH7zkipGTQBerxCuNw98HV8a ayoSSwgryk6MfjEhvmg2nhJN73jsKlO6tb4orhV67TVaZH2jQX9YrDmvthhc3kz8QPej GREYs+EdLmeLIJ7LyPURXXoNmYZL5Va+8PG1qbFjj+Goe6wFh70fxujgt+5F2bSMd14C n9I4lBOV2WCIt7q24X3gSEVA0s5xdCMbbZ5CAYi9aJYczU3s42xEoNVlFzH+witUI0UP /ph8kBGD7ttUpj5FyBBmgLKVBhZxBk/I/G7knZWBaaTS2GjRZnEL6+ut10h6t1boW28s qfQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684796641; x=1687388641; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aqDrP/Ku2G0NFY8nP7WOcpgerakKSVSHtVCghRaxzY8=; b=PhmHX4sckJ4t5I0GS0Lu7COeHcyqMSUV/8+PeLUe1TTogYnRYGnL9+x8yoiR16o3io j7HyoYc0nRCTwg/+2sOl9cZbuSk95zzZMiZr0MkKAeKDiILf1536ZJhP9tiQtEBwgOSS 6xFx2r0HeAnxmzSCMuyxzHAYUkhBy5dHzx3vTZR5Hz3uTHxWEEYFVXBoKajT36sEg7XM UwTirpaIi63je+Gpsy5VEdYSOTe3/D0S0Li8m4Iq0Gy7bZPI0jP1wmaEMAXVtqkdbRpT zGVungexK3isEeOKF/3KUMXlc5uz6+3bHr11FWOoqk/oL2sy1SUJYUhNmbYfwTLH9TTG aZbA==
X-Gm-Message-State: AC+VfDyLZ2ynnreW77121O55fF+DpriczpsEA2SWIvE9uwjMpbcAAgJW vMxklS5FUdNQkpjQ2FX2/yLRXu9d8vrOj2C6nJW2tA==
X-Google-Smtp-Source: ACHHUZ4MG/xnsTRTocNUCtIP9OJqxSRuih3Bomc3P+fXFU5GY/5CEbQe1ijcHfXtPSZ6OPC6okVKbodnI/qTqJDeCmc=
X-Received: by 2002:a17:903:188:b0:1ae:4fbd:f626 with SMTP id z8-20020a170903018800b001ae4fbdf626mr15181236plg.52.1684796640731; Mon, 22 May 2023 16:04:00 -0700 (PDT)
MIME-Version: 1.0
References: <11087a11-476c-5fb8-2ede-e1b3b6e95e48@si6networks.com> <CALx6S343f_FPXVxuZuXB4j=nY-SuTEYrnxb3O5OQ3fv5uPwT8g@mail.gmail.com> <CAN-Dau1pTVr6ak9rc9x7irg+aLhq0N8_WOyySqx5Syt74HMX=g@mail.gmail.com> <a087b963-1e12-66bf-b93e-5190ce09914b@si6networks.com> <CALx6S349nNA8L5+_1hrbWayqp8GfTYypWy_SP57c_Xxams=csg@mail.gmail.com> <51a066b3-4b4c-d573-ffbe-d6b44a4f193f@gont.com.ar> <a411a1b0-c521-c456-3d44-d99a1cc0975b@gmail.com> <CAN-Dau3MLvK2A_Rt_TnXqZY-zOR12NhF-16tKDv4E4s9qR1D_Q@mail.gmail.com> <2341.1684770818@localhost> <CAN-Dau04XOL0Afyrb-msE5OHX2c9KFuYt2N5san9mqq8k1BW3w@mail.gmail.com> <4d2abda3-19a1-4afb-85f6-95ddb9fc9043@gont.com.ar>
In-Reply-To: <4d2abda3-19a1-4afb-85f6-95ddb9fc9043@gont.com.ar>
From: Tom Herbert <tom@herbertland.com>
Date: Mon, 22 May 2023 16:03:45 -0700
Message-ID: <CALx6S34kizt4GrNsGHsObHdkJ9v4GOxP3FmVxKjVn=2fRYaO4g@mail.gmail.com>
To: Fernando Gont <fernando@gont.com.ar>
Cc: David Farmer <farmer=40umn.edu@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, IPv6 Operations <v6ops@ietf.org>, 6man <ipv6@ietf.org>, opsec@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/EFdcOy9qZzqRAXEC6QY2UA3NFnU>
Subject: Re: [IPv6] [v6ops] Why folks are blocking IPv6 extension headers? (Episode 1000 and counting) (Linux DoS)
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2023 23:04:06 -0000

On Mon, May 22, 2023 at 12:29 PM Fernando Gont <fernando@gont.com.ar> wrote:
>
> Hi, David,
>
> On 22/5/23 18:05, David Farmer wrote:
> [...]
> >
> >     I think that many of us are still reeling from default configuration of
> >     certain "firewalls" that banks seemed like, which dropped packets
> >     containing
> >     ECN, and TCP options, and made it very very difficult to deploy new
> >     things.
> >     Even when at the IETF standards level... (so "innovation with
> >     permission")
> >
> >
> > So, I think we need "permissionless innovation" at the Internet level.
> > Nevertheless, that doesn't mean "innovation with permission" isn't
> > appropriate in some or even many situations. For example, in a situation
> > involving public safety, like a nuclear reactor or a missile control
> > system. We can all agree that "permissionless innovation" isn't
> > necessarily appropriate in situations like these.
>
> For the Security guy, the "nuclear reactor" is the infrastructure that,
> if compromised or DoS, causes clients to complain, money to be lost, and
> eventually, staff to be fired.
>

Fernando,

That's the viewpoint for a Network Security guy, but as a Host
Security guy, network policy ostensibly put in place to protect the
host is irrelevant. The reason should be obvious, unless there was a
network security policy consistently implemented across all networks,
we, host developers and application developers, can't count on it and
it really doesn't help securing the host. In fact it's more likely
that these inconsistent policies are counter productive since we have
to insert hacks to try to work around network secure policies which
themselves could create issues (for instance, think about the hacks we
need to do to try to keep an anonymous stateful firewall in the path
from arbitrarily evicting our connection from its cache).

Tom

> Yes, I love to play with EHs.... in a lab. :-)
>
> Thanks,
> --
> Fernando Gont
> e-mail: fernando@gont.com.ar
> PGP Fingerprint: 7F7F 686D 8AC9 3319 EEAD C1C8 D1D5 4B94 E301 6F01
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops

v2.23.0 | Report a Bug | By Email